In Application Security, the CVSS score is our universal language. For nearly two decades, it has been the bedrock of vulnerability management, providing a standardized way to score the technical severity of flaws in software.
From Cross-Site Scripting to Log4Shell, CVSS gives us a common metric to prioritize patches, communicate risk, and build a more secure foundation.
This role is more critical than ever, as frameworks like the NIST AI Risk Management Framework (AI RMF) mandate that organizations “Measure” their risks. CVSS is an essential tool for fulfilling that mandate on the traditional code vulnerabilities that underpin AI systems.
But as our applications evolve, so must our methods of measurement.
The rise of AI-powered development and autonomous agentic systems introduces a new dimension of risk that goes beyond traditional code flaws.
These agents are more than just applications; they are dynamic actors that can reason, plan, and execute tasks. While CVSS can score a vulnerability in an agent’s underlying code, it was never designed to assess the risk inherent in the agent’s autonomous behavior.
From Scoring Vulnerabilities to Measuring Agentic Risk
Consider an AI agent designed to manage cloud infrastructure. A malicious actor provides a
seemingly innocent prompt that exploits a subtle ambiguity in the agent’s natural language understanding. The agent, in turn, misinterprets the goal and autonomously decommissions a production database.
Here, the “vulnerability” might be a minor flaw in an NLP library, perhaps a 5.3 Medium on the CVSS scale. But the risk is catastrophic. The real danger isn’t the flaw itself, but the autonomous action that follows.
This is the gap AIVSS was created to fill: AVISS extends CVSS to measure risks that emerge from an agent’s unique behavioral characteristics, not just from code volnerabilities.
AIVSS: Extending CVSS to Measure a New Class of Risk
The OWASP AIVSS project provides the framework to quantify these new, behavior-driven risks. It’s not a replacement for CVSS, but a critical extension that allows security teams to measure the full risk profile of Agentic AI systems.
AIVSS works by incorporating a range of agentic AI risk factors that are simply outside the scope of traditional vulnerability scoring.
AIVSS helps us answer crucial questions that CVSS alone cannot:
- Autonomy: How much damage can an agent do on its own if its goal is manipulated? The AIVSS score scales with the agent’s degree of freedom.
- Tool Use: What is the risk profile of the tools the agent can access? An agent with a code interpreter and API keys to production systems carries far more inherent risk than one limited to a search tool.
- Memory Use: How does the agent’s ability to learn and remember over time create new attack vectors like context poisoning or sensitive data leakage from its long-term memory?
- Dynamic Identity: Can the agent create or assume different identities, making it difficult to trace its actions or enabling it to spoof other agents or users?
- Complex Agent-to-Agent Orchestration: In multi-agent systems, how can complex interaction patterns be exploited to turn one compromised agent into a cascading failure across the entire system?
- Non-deterministic Behavior: How do we account for the risk that an agent might behave unpredictably, even when given the same inputs, leading to unforeseen security consequences?
AIVSS uses mechanisms like the Agent Characteristics Multiplier (ACM) to convert the answers to these questions into a quantifiable risk factor. This factor then works in concert with a CVSS-style base score to produce a more holistic and accurate picture of the true risk.
Building a NIST-Aligned, Future-Ready Security Program
By integrating AIVSS, organizations can create a more robust and compliant security posture. This dual approach allows you to:
- Use CVSS to score the technical vulnerabilities in the agent’s foundational code, libraries, and infrastructure.
- Use AIVSS to measure the emergent, behavioral risks arising from the agent’s autonomy, tool access, and other unique characteristics.
Together, they provide a comprehensive measurement capability that aligns perfectly with the NIST AI RMF’s call to identify, measure, and manage the full spectrum of AI risks.
The future of AppSec isn’t about discarding our proven tools; it’s about enhancing them. By leveraging CVSS for what it does best and extending it with AIVSS to cover the new agentic attack surface, security teams can build a complete, data-driven strategy for the AI era. To get started on this journey, explore the groundbreaking work being done in the OWASP AIVSS project today. You can visit aivss.owasp.org to know more about this project or get involved in our ongoing effort.
Watch the AI Summit: How Agentic AI is changing AppSec
Watch exclusive conversations from the recent Checkmarx Agentic AI Summit, featuring industry leaders in AI, development, and AppSec. Gain fresh, actionable insights into the real-world opportunities and challenges of AI in Application Security.
About Ken Huang
Ken Huang is a prolific author and renowned expert in AI Security and Web3, with numerous published books spanning business, technical and security guides as well as cutting-edge research. He is a Research Fellow and Co-Chair of the AI Safety Working Groups at the Cloud Security Alliance, Co-Chair of the OWASP AIVSS project, and Co-Chair of the AI STR Working Group at the World Digital Technology Academy. He is also an Adjunct Professor at the University of San Francisco, where he teaches a graduate course on Generative AI for Data Security.